Skip whitespaces between HTTP method and URL. (#1271)

* be less case-restrictive, RFC2616 wants it that way Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni <matzeton@googlemail.com> 2021-08-08 17:00:10 +0200
committer: GitHub <noreply@github.com> 2021-08-08 17:00:10 +0200
commit: 4e856a41d66952dbcd17d59b8b78b25d56304559 (patch)
tree: 9c66ece4af96138a9f10ea5bbd6ef45a7fd86b14
parent: 8e996f7f7c8f411a4c597e23fbaaecf284b038b0 (diff)
3 files changed, 22 insertions, 10 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c
index a2dd25f3c..bcc9fdb7f 100644
--- a/src/lib/protocols/http.c
+++ b/src/lib/protocols/http.c
@@ -245,7 +245,7 @@ static ndpi_protocol_category_t ndpi_http_check_content(struct ndpi_detection_mo
 	  if((attachment_len+ATTACHMENT_LEN) <= packet->content_disposition_line.len) {
 	    for(int i = 0; binary_file_ext[i] != NULL; i++) {
 	      /* Use memcmp in case content-disposition contains binary data */
-	      if(memcmp((const char*)&packet->content_disposition_line.ptr[attachment_len],
+	      if(memcmp(&packet->content_disposition_line.ptr[attachment_len],
 			binary_file_ext[i], ATTACHMENT_LEN) == 0) {
 		flow->guessed_category = flow->category = NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT;
 		ndpi_set_risk(ndpi_struct, flow, NDPI_BINARY_APPLICATION_TRANSFER);
@@ -733,9 +733,13 @@ static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *nd
   **/
   for(i=0; i < sizeof(http_methods)/sizeof(http_methods[0]); i++) {
     if(packet->payload_packet_len >= http_methods[i].len &&
-       memcmp(packet->payload,http_methods[i].str,http_methods[i].len) == 0) {
+       strncasecmp((const char*)packet->payload,http_methods[i].str,http_methods[i].len) == 0) {
+      size_t url_start = http_methods[i].len;
+      while (url_start < packet->payload_packet_len &&
+             url_start < http_methods[i].len + 2048 && /* We assume 2048 chars as maximum for URLs. */
+             packet->payload[url_start] == ' ') { url_start++; }
       NDPI_LOG_DBG2(ndpi_struct, "HTTP: %sFOUND\n",http_methods[i].str);
-      return http_methods[i].len;
+      return url_start;
     }
   }
   return 0;
@@ -872,7 +876,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
     if(filename_start == 0) { /* not a regular request. In the HTTP first stage, may be a truncated flow or other protocols */
       NDPI_LOG_DBG2(ndpi_struct, "Filename HTTP not found, we look for possible truncate flow..\n");
 
-      if(packet->payload_packet_len >= 7 && memcmp(packet->payload, "HTTP/1.", 7) == 0) {
+      if(packet->payload_packet_len >= 7 && strncasecmp((const char *)packet->payload, "HTTP/1.", 7) == 0) {
         NDPI_LOG_INFO(ndpi_struct, "found HTTP response\n");
 
 	if(packet->payload_packet_len >= 12) {
@@ -965,8 +969,8 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
       return;
     } else {
       /* This check is required as RTSP is pretty similiar to HTTP (prevent false-positives). */
-      if (strncmp((const char *)packet->payload + filename_start,
-                  "rtsp://", ndpi_min(7, packet->payload_packet_len - filename_start)) == 0)
+      if (strncasecmp((const char *)packet->payload + filename_start,
+                      "rtsp://", ndpi_min(7, packet->payload_packet_len - filename_start)) == 0)
       {
         NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
         return;
@@ -997,7 +1001,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
 		  "Found more than one line, we look further for the next packet...\n");
 
     if(packet->line[0].len >= (9 + filename_start)
-       && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
+       && strncasecmp((const char *)&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
       /* Request line complete. Ex. "GET / HTTP/1.1" */
 
       packet->http_url_name.ptr = &packet->payload[filename_start];
@@ -1022,13 +1026,13 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
       }
 
       if((packet->http_url_name.len > 7)
-	 && (!strncmp((const char*) packet->http_url_name.ptr, "http://", 7))) {
+	 && (!strncasecmp((const char*) packet->http_url_name.ptr, "http://", 7))) {
         NDPI_LOG_INFO(ndpi_struct, "found HTTP_PROXY\n");
         ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_PROXY, NDPI_PROTOCOL_CATEGORY_WEB);
         check_content_type_and_change_protocol(ndpi_struct, flow);
       }
 
-      if(filename_start == 8 && (memcmp(packet->payload, "CONNECT ", 8) == 0)) {
+      if(filename_start == 8 && (strncasecmp((const char *)packet->payload, "CONNECT ", 8) == 0)) {
 	/* nathan@getoffmalawn.com */
         NDPI_LOG_INFO(ndpi_struct, "found HTTP_CONNECT\n");
         ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_CONNECT, NDPI_PROTOCOL_CATEGORY_WEB);
@@ -1106,7 +1110,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct
       }
       // http://www.slideshare.net/DSPIP/rtsp-analysis-wireshark
       if(packet->line[0].len >= 9
-	 && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
+	 && strncasecmp((const char *)&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) {
 
         NDPI_LOG_INFO(ndpi_struct, "found HTTP\n");
         ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB);
diff --git a/tests/pcap/http-manipulated.pcap b/tests/pcap/http-manipulated.pcap
new file mode 100644
index 000000000..908d6895d
--- /dev/null
+++ b/tests/pcap/http-manipulated.pcap
diff --git a/tests/result/http-manipulated.pcap.out b/tests/result/http-manipulated.pcap.out
new file mode 100644
index 000000000..c8ec82f6b
--- /dev/null
+++ b/tests/result/http-manipulated.pcap.out
@@ -0,0 +1,8 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	12	(6.00 pkts/flow)
+
+HTTP	328	959347	2
+
+	1	TCP 192.168.0.20:33684 <-> 192.168.0.7:8080 [proto: 7/HTTP][cat: Web/5][156 pkts/9409 bytes <-> 162 pkts/948709 bytes][Goodput ratio: 10/99][6.10 sec][Host: www.lan][bytes ratio: -0.980 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 49/1 6005/73 537/6][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 60/5856 440/29254 45/5036][URL: www.lan:8080/aaaaaaaaaaaaaaaaaaaaaaaa_very_long_uri][StatusCode: 200][Content-Type: text/html][User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0][Risk: ** Known protocol on non standard port **][Risk Score: 10][PLAIN TEXT (GET                  /aaaaaaaaa)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,88]
+	2	TCP 192.168.0.20:33632 <-> 192.168.0.7:8080 [proto: 7/HTTP][cat: Web/5][6 pkts/412 bytes <-> 4 pkts/817 bytes][Goodput ratio: 18/71][0.00 sec][Host: wwww.lan][bytes ratio: -0.330 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 69/204 130/631 28/246][URL: wwww.lan:8080/][StatusCode: 200][Content-Type: text/html][User-Agent: curl/7.64.0][Risk: ** Known protocol on non standard port **][Risk Score: 10][PLAIN TEXT (GET / HTTP/1.1)][Plen Bins: 0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,50,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
author	Toni <matzeton@googlemail.com>	2021-08-08 17:00:10 +0200
committer	GitHub <noreply@github.com>	2021-08-08 17:00:10 +0200
commit	4e856a41d66952dbcd17d59b8b78b25d56304559 (patch)
tree	9c66ece4af96138a9f10ea5bbd6ef45a7fd86b14
parent	8e996f7f7c8f411a4c597e23fbaaecf284b038b0 (diff)